PyPI - letta-nightly - Versions diffs - 0.11.7.dev20250916104104__py3-none-any.whl → 0.11.7.dev20250917104122__py3-none-any.whl - Mend

letta-nightly 0.11.7.dev20250916104104py3-none-any.whl → 0.11.7.dev20250917104122py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

letta/__init__.py +10 -2
letta/adapters/letta_llm_request_adapter.py +0 -1
letta/adapters/letta_llm_stream_adapter.py +0 -1
letta/agent.py +1 -1
letta/agents/letta_agent.py +1 -4
letta/agents/letta_agent_v2.py +2 -1
letta/agents/voice_agent.py +1 -1
letta/helpers/converters.py +8 -2
letta/helpers/crypto_utils.py +144 -0
letta/llm_api/llm_api_tools.py +0 -1
letta/llm_api/llm_client_base.py +0 -2
letta/orm/__init__.py +1 -0
letta/orm/agent.py +5 -1
letta/orm/job.py +3 -1
letta/orm/mcp_oauth.py +6 -0
letta/orm/mcp_server.py +7 -1
letta/orm/sqlalchemy_base.py +2 -1
letta/schemas/agent.py +10 -7
letta/schemas/job.py +10 -0
letta/schemas/mcp.py +146 -6
letta/schemas/provider_trace.py +0 -2
letta/schemas/run.py +2 -0
letta/schemas/secret.py +378 -0
letta/serialize_schemas/marshmallow_agent.py +4 -0
letta/server/rest_api/routers/v1/__init__.py +2 -0
letta/server/rest_api/routers/v1/agents.py +9 -4
letta/server/rest_api/routers/v1/archives.py +113 -0
letta/server/rest_api/routers/v1/jobs.py +7 -2
letta/server/rest_api/routers/v1/runs.py +9 -1
letta/server/rest_api/routers/v1/tools.py +7 -26
letta/services/agent_manager.py +17 -9
letta/services/agent_serialization_manager.py +11 -3
letta/services/archive_manager.py +73 -0
letta/services/helpers/agent_manager_helper.py +6 -1
letta/services/job_manager.py +18 -2
letta/services/mcp_manager.py +198 -82
letta/services/telemetry_manager.py +2 -0
letta/services/tool_executor/composio_tool_executor.py +1 -1
letta/services/tool_sandbox/base.py +2 -3
{letta_nightly-0.11.7.dev20250916104104.dist-info → letta_nightly-0.11.7.dev20250917104122.dist-info}/METADATA +5 -2
{letta_nightly-0.11.7.dev20250916104104.dist-info → letta_nightly-0.11.7.dev20250917104122.dist-info}/RECORD +44 -41
{letta_nightly-0.11.7.dev20250916104104.dist-info → letta_nightly-0.11.7.dev20250917104122.dist-info}/WHEEL +0 -0
{letta_nightly-0.11.7.dev20250916104104.dist-info → letta_nightly-0.11.7.dev20250917104122.dist-info}/entry_points.txt +0 -0
{letta_nightly-0.11.7.dev20250916104104.dist-info → letta_nightly-0.11.7.dev20250917104122.dist-info}/licenses/LICENSE +0 -0

letta/schemas/mcp.py CHANGED Viewed

@@ -13,6 +13,8 @@ from letta.functions.mcp_client.types import (
 )
 from letta.orm.mcp_oauth import OAuthSessionStatus
 from letta.schemas.letta_base import LettaBase
+from letta.schemas.secret import Secret, SecretDict
+from letta.settings import settings
 class BaseMCPServer(LettaBase):
@@ -29,6 +31,9 @@ class MCPServer(BaseMCPServer):
     token: Optional[str] = Field(None, description="The access token or API key for the MCP server (used for authentication)")
     custom_headers: Optional[Dict[str, str]] = Field(None, description="Custom authentication headers as key-value pairs")
+    token_enc: Optional[str] = Field(None, description="Encrypted token")
+    custom_headers_enc: Optional[str] = Field(None, description="Encrypted custom headers")
     # stdio config
     stdio_config: Optional[StdioServerConfig] = Field(
         None, description="The configuration for the server (MCP 'local' client will run this command)"
@@ -41,18 +46,76 @@ class MCPServer(BaseMCPServer):
     last_updated_by_id: Optional[str] = Field(None, description="The id of the user that made this Tool.")
     metadata_: Optional[Dict[str, Any]] = Field(default_factory=dict, description="A dictionary of additional metadata for the tool.")
+    def get_token_secret(self) -> Secret:
+        """Get the token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.token_enc, self.token)
+    def get_custom_headers_secret(self) -> SecretDict:
+        """Get custom headers as a SecretDict object, preferring encrypted over plaintext."""
+        return SecretDict.from_db(self.custom_headers_enc, self.custom_headers)
+    def set_token_secret(self, secret: Secret) -> None:
+        """Set token from a Secret object, updating both encrypted and plaintext fields."""
+        secret_dict = secret.to_dict()
+        self.token_enc = secret_dict["encrypted"]
+        # Only set plaintext during migration phase
+        if not secret._was_encrypted:
+            self.token = secret_dict["plaintext"]
+        else:
+            self.token = None
+    def set_custom_headers_secret(self, secret: SecretDict) -> None:
+        """Set custom headers from a SecretDict object, updating both fields."""
+        secret_dict = secret.to_dict()
+        self.custom_headers_enc = secret_dict["encrypted"]
+        # Only set plaintext during migration phase
+        if not secret._was_encrypted:
+            self.custom_headers = secret_dict["plaintext"]
+        else:
+            self.custom_headers = None
+    def model_dump(self, to_orm: bool = False, **kwargs):
+        """Override model_dump to handle encryption when saving to database."""
+        data = super().model_dump(to_orm=to_orm, **kwargs)
+        if to_orm and settings.encryption_key:
+            # Encrypt token if present
+            if self.token is not None:
+                token_secret = Secret.from_plaintext(self.token)
+                secret_dict = token_secret.to_dict()
+                data["token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["token"] = secret_dict["plaintext"]
+            # Encrypt custom headers if present
+            if self.custom_headers is not None:
+                headers_secret = SecretDict.from_plaintext(self.custom_headers)
+                secret_dict = headers_secret.to_dict()
+                data["custom_headers_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["custom_headers"] = secret_dict["plaintext"]
+        return data
     def to_config(
         self,
         environment_variables: Optional[Dict[str, str]] = None,
         resolve_variables: bool = True,
     ) -> Union[SSEServerConfig, StdioServerConfig, StreamableHTTPServerConfig]:
+        # Get decrypted values for use in config
+        token_secret = self.get_token_secret()
+        token_plaintext = token_secret.get_plaintext()
+        headers_secret = self.get_custom_headers_secret()
+        headers_plaintext = headers_secret.get_plaintext()
         if self.server_type == MCPServerType.SSE:
             config = SSEServerConfig(
                 server_name=self.server_name,
                 server_url=self.server_url,
-                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if self.token and not self.custom_headers else None,
-                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {self.token}" if self.token and not self.custom_headers else None,
-                custom_headers=self.custom_headers,
+                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if token_plaintext and not headers_plaintext else None,
+                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {token_plaintext}" if token_plaintext and not headers_plaintext else None,
+                custom_headers=headers_plaintext,
             )
             if resolve_variables:
                 config.resolve_environment_variables(environment_variables)
@@ -70,9 +133,9 @@ class MCPServer(BaseMCPServer):
             config = StreamableHTTPServerConfig(
                 server_name=self.server_name,
                 server_url=self.server_url,
-                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if self.token and not self.custom_headers else None,
-                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {self.token}" if self.token and not self.custom_headers else None,
-                custom_headers=self.custom_headers,
+                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if token_plaintext and not headers_plaintext else None,
+                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {token_plaintext}" if token_plaintext and not headers_plaintext else None,
+                custom_headers=headers_plaintext,
             )
             if resolve_variables:
                 config.resolve_environment_variables(environment_variables)
@@ -138,11 +201,18 @@ class MCPOAuthSession(BaseMCPOAuth):
     expires_at: Optional[datetime] = Field(None, description="Token expiry time")
     scope: Optional[str] = Field(None, description="OAuth scope")
+    # Encrypted token fields (for internal use)
+    access_token_enc: Optional[str] = Field(None, description="Encrypted OAuth access token")
+    refresh_token_enc: Optional[str] = Field(None, description="Encrypted OAuth refresh token")
     # Client configuration
     client_id: Optional[str] = Field(None, description="OAuth client ID")
     client_secret: Optional[str] = Field(None, description="OAuth client secret")
     redirect_uri: Optional[str] = Field(None, description="OAuth redirect URI")
+    # Encrypted client secret (for internal use)
+    client_secret_enc: Optional[str] = Field(None, description="Encrypted OAuth client secret")
     # Session state
     status: OAuthSessionStatus = Field(default=OAuthSessionStatus.PENDING, description="Session status")
@@ -150,6 +220,76 @@ class MCPOAuthSession(BaseMCPOAuth):
     created_at: datetime = Field(default_factory=datetime.now, description="Session creation time")
     updated_at: datetime = Field(default_factory=datetime.now, description="Last update time")
+    def get_access_token_secret(self) -> Secret:
+        """Get the access token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.access_token_enc, self.access_token)
+    def get_refresh_token_secret(self) -> Secret:
+        """Get the refresh token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.refresh_token_enc, self.refresh_token)
+    def get_client_secret_secret(self) -> Secret:
+        """Get the client secret as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.client_secret_enc, self.client_secret)
+    def set_access_token_secret(self, secret: Secret) -> None:
+        """Set access token from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.access_token_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.access_token = secret_dict["plaintext"]
+        else:
+            self.access_token = None
+    def set_refresh_token_secret(self, secret: Secret) -> None:
+        """Set refresh token from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.refresh_token_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.refresh_token = secret_dict["plaintext"]
+        else:
+            self.refresh_token = None
+    def set_client_secret_secret(self, secret: Secret) -> None:
+        """Set client secret from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.client_secret_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.client_secret = secret_dict["plaintext"]
+        else:
+            self.client_secret = None
+    def model_dump(self, to_orm: bool = False, **kwargs):
+        """Override model_dump to handle encryption when saving to database."""
+        data = super().model_dump(to_orm=to_orm, **kwargs)
+        if to_orm and settings.encryption_key:
+            # Encrypt access token if present
+            if self.access_token is not None:
+                token_secret = Secret.from_plaintext(self.access_token)
+                secret_dict = token_secret.to_dict()
+                data["access_token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["access_token"] = secret_dict["plaintext"]
+            # Encrypt refresh token if present
+            if self.refresh_token is not None:
+                token_secret = Secret.from_plaintext(self.refresh_token)
+                secret_dict = token_secret.to_dict()
+                data["refresh_token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["refresh_token"] = secret_dict["plaintext"]
+            # Encrypt client secret if present
+            if self.client_secret is not None:
+                secret = Secret.from_plaintext(self.client_secret)
+                secret_dict = secret.to_dict()
+                data["client_secret_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["client_secret"] = secret_dict["plaintext"]
+        return data
 class MCPOAuthSessionCreate(BaseMCPOAuth):
     """Create a new OAuth session."""

letta/schemas/provider_trace.py CHANGED Viewed

@@ -19,7 +19,6 @@ class ProviderTraceCreate(BaseModel):
     request_json: dict[str, Any] = Field(..., description="JSON content of the provider request")
     response_json: dict[str, Any] = Field(..., description="JSON content of the provider response")
     step_id: str = Field(None, description="ID of the step that this trace is associated with")
-    organization_id: str = Field(..., description="The unique identifier of the organization.")
 class ProviderTrace(BaseProviderTrace):
@@ -39,5 +38,4 @@ class ProviderTrace(BaseProviderTrace):
     request_json: Dict[str, Any] = Field(..., description="JSON content of the provider request")
     response_json: Dict[str, Any] = Field(..., description="JSON content of the provider response")
     step_id: Optional[str] = Field(None, description="ID of the step that this trace is associated with")
-    organization_id: str = Field(..., description="The unique identifier of the organization.")
     created_at: datetime = Field(default_factory=get_utc_time, description="The timestamp when the object was created.")

letta/schemas/run.py CHANGED Viewed

@@ -4,6 +4,7 @@ from pydantic import Field
 from letta.schemas.enums import JobType
 from letta.schemas.job import Job, JobBase, LettaRequestConfig
+from letta.schemas.letta_stop_reason import StopReasonType
 class RunBase(JobBase):
@@ -29,6 +30,7 @@ class Run(RunBase):
     id: str = RunBase.generate_id_field()
     user_id: Optional[str] = Field(None, description="The unique identifier of the user associated with the run.")
     request_config: Optional[LettaRequestConfig] = Field(None, description="The request configuration for the run.")
+    stop_reason: Optional[StopReasonType] = Field(None, description="The reason why the run was stopped.")
     @classmethod
     def from_job(cls, job: Job) -> "Run":

letta/schemas/secret.py ADDED Viewed

@@ -0,0 +1,378 @@
+import json
+from typing import Any, Dict, Optional
+from pydantic import BaseModel, ConfigDict, PrivateAttr
+from letta.helpers.crypto_utils import CryptoUtils
+from letta.log import get_logger
+logger = get_logger(__name__)
+class Secret(BaseModel):
+    """
+    A wrapper class for encrypted credentials that keeps values encrypted in memory.
+    This class ensures that sensitive data remains encrypted as much as possible
+    while passing through the codebase, only decrypting when absolutely necessary.
+    TODO: Once we deprecate plaintext columns in the database:
+    - Remove the dual-write logic in to_dict()
+    - Remove the from_db() method's plaintext_value parameter
+    - Remove the _was_encrypted flag (no longer needed for migration)
+    - Simplify get_plaintext() to only handle encrypted values
+    """
+    # Store the encrypted value
+    _encrypted_value: Optional[str] = PrivateAttr(default=None)
+    # Cache the decrypted value to avoid repeated decryption
+    _plaintext_cache: Optional[str] = PrivateAttr(default=None)
+    # Flag to indicate if the value was originally encrypted
+    _was_encrypted: bool = PrivateAttr(default=False)
+    model_config = ConfigDict(frozen=True)
+    @classmethod
+    def from_plaintext(cls, value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from a plaintext value, encrypting it if possible.
+        Args:
+            value: The plaintext value to encrypt
+        Returns:
+            A Secret instance with the encrypted value, or plaintext if encryption unavailable
+        """
+        if value is None:
+            instance = cls()
+            instance._encrypted_value = None
+            instance._was_encrypted = False
+            return instance
+        # Try to encrypt, but fall back to plaintext if no encryption key
+        try:
+            encrypted = CryptoUtils.encrypt(value)
+            instance = cls()
+            instance._encrypted_value = encrypted
+            instance._was_encrypted = False
+            return instance
+        except ValueError as e:
+            # No encryption key available, store as plaintext
+            if "No encryption key configured" in str(e):
+                logger.warning(
+                    "No encryption key configured. Storing Secret value as plaintext. "
+                    "Set LETTA_ENCRYPTION_KEY environment variable to enable encryption."
+                )
+                instance = cls()
+                instance._encrypted_value = value  # Store plaintext
+                instance._plaintext_cache = value  # Cache it
+                instance._was_encrypted = False
+                return instance
+            raise  # Re-raise if it's a different error
+    @classmethod
+    def from_encrypted(cls, encrypted_value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from an already encrypted value.
+        Args:
+            encrypted_value: The encrypted value
+        Returns:
+            A Secret instance
+        """
+        instance = cls()
+        instance._encrypted_value = encrypted_value
+        instance._was_encrypted = True
+        return instance
+    @classmethod
+    def from_db(cls, encrypted_value: Optional[str], plaintext_value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from database values during migration phase.
+        Prefers encrypted value if available, falls back to plaintext.
+        Args:
+            encrypted_value: The encrypted value from the database
+            plaintext_value: The plaintext value from the database
+        Returns:
+            A Secret instance
+        """
+        if encrypted_value is not None:
+            return cls.from_encrypted(encrypted_value)
+        elif plaintext_value is not None:
+            return cls.from_plaintext(plaintext_value)
+        else:
+            return cls.from_plaintext(None)
+    def get_encrypted(self) -> Optional[str]:
+        """
+        Get the encrypted value.
+        Returns:
+            The encrypted value, or None if the secret is empty
+        """
+        return self._encrypted_value
+    def get_plaintext(self) -> Optional[str]:
+        """
+        Get the decrypted plaintext value.
+        This should only be called when the plaintext is actually needed,
+        such as when making an external API call.
+        Returns:
+            The decrypted plaintext value
+        """
+        if self._encrypted_value is None:
+            return None
+        # Use cached value if available, but only if it looks like plaintext
+        # or we're confident we can decrypt it
+        if self._plaintext_cache is not None:
+            # If we have a cache but the stored value looks encrypted and we have no key,
+            # we should not use the cache
+            if CryptoUtils.is_encrypted(self._encrypted_value) and not CryptoUtils.is_encryption_available():
+                self._plaintext_cache = None  # Clear invalid cache
+            else:
+                return self._plaintext_cache
+        # Decrypt and cache
+        try:
+            plaintext = CryptoUtils.decrypt(self._encrypted_value)
+            # Cache the decrypted value (PrivateAttr fields can be mutated even with frozen=True)
+            self._plaintext_cache = plaintext
+            return plaintext
+        except ValueError as e:
+            error_msg = str(e)
+            # Handle missing encryption key
+            if "No encryption key configured" in error_msg:
+                # Check if the value looks encrypted
+                if CryptoUtils.is_encrypted(self._encrypted_value):
+                    # Value was encrypted, but now we have no key - can't decrypt
+                    logger.warning(
+                        "Cannot decrypt Secret value - no encryption key configured. "
+                        "The value was encrypted and requires the original key to decrypt."
+                    )
+                    # Return None to indicate we can't get the plaintext
+                    return None
+                else:
+                    # Value is plaintext (stored when no key was available)
+                    logger.debug("Secret value is plaintext (stored without encryption)")
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+            # Handle decryption failure (might be plaintext stored as such)
+            elif "Failed to decrypt data" in error_msg:
+                # Check if it might be plaintext
+                if not CryptoUtils.is_encrypted(self._encrypted_value):
+                    # It's plaintext that was stored when no key was available
+                    logger.debug("Secret value appears to be plaintext (stored without encryption)")
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+                # Otherwise, it's corrupted or wrong key
+                logger.error("Failed to decrypt Secret value - data may be corrupted or wrong key")
+                raise
+            # Migration case: handle legacy plaintext
+            elif not self._was_encrypted:
+                if self._encrypted_value and not CryptoUtils.is_encrypted(self._encrypted_value):
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+                return None
+            # Re-raise for other errors
+            raise
+    def is_empty(self) -> bool:
+        """Check if the secret is empty/None."""
+        return self._encrypted_value is None
+    def __str__(self) -> str:
+        """String representation that doesn't expose the actual value."""
+        if self.is_empty():
+            return "<Secret: empty>"
+        return "<Secret: ****>"
+    def __repr__(self) -> str:
+        """Representation that doesn't expose the actual value."""
+        return self.__str__()
+    def to_dict(self) -> Dict[str, Any]:
+        """
+        Convert to dictionary for database storage.
+        Returns both encrypted and plaintext values for dual-write during migration.
+        """
+        return {"encrypted": self.get_encrypted(), "plaintext": self.get_plaintext() if not self._was_encrypted else None}
+    def __eq__(self, other: Any) -> bool:
+        """
+        Compare two secrets by their plaintext values.
+        Note: This decrypts both values, so use sparingly.
+        """
+        if not isinstance(other, Secret):
+            return False
+        return self.get_plaintext() == other.get_plaintext()
+class SecretDict(BaseModel):
+    """
+    A wrapper for dictionaries containing sensitive key-value pairs.
+    Used for custom headers and other key-value configurations.
+    TODO: Once we deprecate plaintext columns in the database:
+    - Remove the dual-write logic in to_dict()
+    - Remove the from_db() method's plaintext_value parameter
+    - Remove the _was_encrypted flag (no longer needed for migration)
+    - Simplify get_plaintext() to only handle encrypted JSON values
+    """
+    _encrypted_value: Optional[str] = PrivateAttr(default=None)
+    _plaintext_cache: Optional[Dict[str, str]] = PrivateAttr(default=None)
+    _was_encrypted: bool = PrivateAttr(default=False)
+    model_config = ConfigDict(frozen=True)
+    @classmethod
+    def from_plaintext(cls, value: Optional[Dict[str, str]]) -> "SecretDict":
+        """Create a SecretDict from a plaintext dictionary."""
+        if value is None:
+            instance = cls()
+            instance._encrypted_value = None
+            instance._was_encrypted = False
+            return instance
+        # Serialize to JSON then try to encrypt
+        json_str = json.dumps(value)
+        try:
+            encrypted = CryptoUtils.encrypt(json_str)
+            instance = cls()
+            instance._encrypted_value = encrypted
+            instance._was_encrypted = False
+            return instance
+        except ValueError as e:
+            # No encryption key available, store as plaintext JSON
+            if "No encryption key configured" in str(e):
+                logger.warning(
+                    "No encryption key configured. Storing SecretDict value as plaintext JSON. "
+                    "Set LETTA_ENCRYPTION_KEY environment variable to enable encryption."
+                )
+                instance = cls()
+                instance._encrypted_value = json_str  # Store JSON string
+                instance._plaintext_cache = value  # Cache the dict
+                instance._was_encrypted = False
+                return instance
+            raise  # Re-raise if it's a different error
+    @classmethod
+    def from_encrypted(cls, encrypted_value: Optional[str]) -> "SecretDict":
+        """Create a SecretDict from an encrypted value."""
+        instance = cls()
+        instance._encrypted_value = encrypted_value
+        instance._was_encrypted = True
+        return instance
+    @classmethod
+    def from_db(cls, encrypted_value: Optional[str], plaintext_value: Optional[Dict[str, str]]) -> "SecretDict":
+        """Create a SecretDict from database values during migration phase."""
+        if encrypted_value is not None:
+            return cls.from_encrypted(encrypted_value)
+        elif plaintext_value is not None:
+            return cls.from_plaintext(plaintext_value)
+        else:
+            return cls.from_plaintext(None)
+    def get_encrypted(self) -> Optional[str]:
+        """Get the encrypted value."""
+        return self._encrypted_value
+    def get_plaintext(self) -> Optional[Dict[str, str]]:
+        """Get the decrypted dictionary."""
+        if self._encrypted_value is None:
+            return None
+        # Use cached value if available, but only if it looks like plaintext
+        # or we're confident we can decrypt it
+        if self._plaintext_cache is not None:
+            # If we have a cache but the stored value looks encrypted and we have no key,
+            # we should not use the cache
+            if CryptoUtils.is_encrypted(self._encrypted_value) and not CryptoUtils.is_encryption_available():
+                self._plaintext_cache = None  # Clear invalid cache
+            else:
+                return self._plaintext_cache
+        try:
+            decrypted_json = CryptoUtils.decrypt(self._encrypted_value)
+            plaintext_dict = json.loads(decrypted_json)
+            # Cache the decrypted value (PrivateAttr fields can be mutated even with frozen=True)
+            self._plaintext_cache = plaintext_dict
+            return plaintext_dict
+        except ValueError as e:
+            error_msg = str(e)
+            # Handle missing encryption key
+            if "No encryption key configured" in error_msg:
+                # Check if the value looks encrypted
+                if CryptoUtils.is_encrypted(self._encrypted_value):
+                    # Value was encrypted, but now we have no key - can't decrypt
+                    logger.warning(
+                        "Cannot decrypt SecretDict value - no encryption key configured. "
+                        "The value was encrypted and requires the original key to decrypt."
+                    )
+                    # Return None to indicate we can't get the plaintext
+                    return None
+                else:
+                    # Value is plaintext JSON (stored when no key was available)
+                    logger.debug("SecretDict value is plaintext JSON (stored without encryption)")
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        logger.error("Failed to parse SecretDict plaintext as JSON")
+                        return None
+            # Handle decryption failure (might be plaintext JSON)
+            elif "Failed to decrypt data" in error_msg:
+                # Check if it might be plaintext JSON
+                if not CryptoUtils.is_encrypted(self._encrypted_value):
+                    # It's plaintext JSON that was stored when no key was available
+                    logger.debug("SecretDict value appears to be plaintext JSON (stored without encryption)")
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        logger.error("Failed to parse SecretDict plaintext as JSON")
+                        return None
+                # Otherwise, it's corrupted or wrong key
+                logger.error("Failed to decrypt SecretDict value - data may be corrupted or wrong key")
+                raise
+            # Migration case: handle legacy plaintext
+            elif not self._was_encrypted:
+                if self._encrypted_value:
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        pass
+                return None
+            # Re-raise for other errors
+            raise
+    def is_empty(self) -> bool:
+        """Check if the secret dict is empty/None."""
+        return self._encrypted_value is None
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary for database storage."""
+        return {"encrypted": self.get_encrypted(), "plaintext": self.get_plaintext() if not self._was_encrypted else None}

letta/serialize_schemas/marshmallow_agent.py CHANGED Viewed

@@ -40,6 +40,7 @@ class MarshmallowAgentSchema(BaseSchema):
     core_memory = fields.List(fields.Nested(SerializedBlockSchema))
     tools = fields.List(fields.Nested(SerializedToolSchema))
     tool_exec_environment_variables = fields.List(fields.Nested(SerializedAgentEnvironmentVariableSchema))
+    secrets = fields.List(fields.Nested(SerializedAgentEnvironmentVariableSchema))
     tags = fields.List(fields.Nested(SerializedAgentTagSchema))
     def __init__(self, *args, session: sessionmaker, actor: User, max_steps: Optional[int] = None, **kwargs):
@@ -214,6 +215,9 @@ class MarshmallowAgentSchema(BaseSchema):
         for env_var in data.get("tool_exec_environment_variables", []):
             # need to be re-set at load time
             env_var["value"] = ""
+        for env_var in data.get("secrets", []):
+            # need to be re-set at load time
+            env_var["value"] = ""
         return data
     @pre_load

letta/server/rest_api/routers/v1/__init__.py CHANGED Viewed

@@ -1,4 +1,5 @@
 from letta.server.rest_api.routers.v1.agents import router as agents_router
+from letta.server.rest_api.routers.v1.archives import router as archives_router
 from letta.server.rest_api.routers.v1.blocks import router as blocks_router
 from letta.server.rest_api.routers.v1.embeddings import router as embeddings_router
 from letta.server.rest_api.routers.v1.folders import router as folders_router
@@ -20,6 +21,7 @@ from letta.server.rest_api.routers.v1.tools import router as tools_router
 from letta.server.rest_api.routers.v1.voice import router as voice_router
 ROUTERS = [
+    archives_router,
     tools_router,
     sources_router,
     folders_router,

letta-nightly 0.11.7.dev20250916104104__py3-none-any.whl → 0.11.7.dev20250917104122__py3-none-any.whl

letta-nightly 0.11.7.dev20250916104104py3-none-any.whl → 0.11.7.dev20250917104122py3-none-any.whl